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A general class of authentication schemes for arbitrary quantum messages is proposed. The class is 
based on the use of sets of unitary quantum operations in both transmission and reception, and on 
appending a quantum tag to the quantum message used in transmission. The previous secret between 
partners required for any authentication is a classical key. We obtain the minimal requirements on 
the unitary operations that lead to a probability of failure of the scheme less than one. This failure 
may be caused by someone performing a unitary operation on the message in the channel between 
the communicating partners, or by a potential forger impersonating the transmitter. 



I. INTRODUCTION 



Providing a way to check the integrity of information transmitted over or stored in an unreliable medium is of 
prime concern to the fields of open computing and communications. Mechanisms that provide such integrity check 
are called message authentication schemes They were originally proposed by Gilbert and co-workers while 
the general theory of unconditional authentication was developed by Simmons (see e.g. ]l2[). 
' In the analysis of any message authentication scheme one has to consider three participants: A transmitter (Alice), 
^NJ • a receiver (Bob), and an opponent (Eve). Alice wishes to communicate some information (the plain-text) to Bob using 
' a public communications channel; Bob, in turn, would like to be confident that any information received actually came 
from Alice, rather than from some third party (Eve). Much as in the usual encryption scenario, classical cryptography 
^ ^ provides two different approaches to authentication: secret-key and public-key authentication. In this paper we will 
focus on the first scenario, the secret-key setting, and therefore we shall assume that Alice and Bob share some secret 
■ key previously established in a secure manner. This key allows Alice to select an encoding rule (a one-to-one function 
between the set of plain-texts and the set of messages, also called cipher-texts), chosen from a predetermined set, 
^ / . and encode the plain-text to obtain the message, which is then sent to Bob through the channel. The encoding rule, 
which is usually changed every time a new message is transmitted, defines a set of valid messages. Upon receiving a 
message, Bob accepts it as being authentic (i.e. as coming from Alice) if and only if it belongs to that set, in which 
case he will recover the plain-text applying the corresponding decoding rule. This decoding rule is well-defined since 
^ , each encoding rule is one-to-one. 

' A special class of secret- key message authentication schemes are message authentication codes (MACs), which 
contain the plain-text in the clear. In this case, each encoding rule generates, depending on the value of the actual 
plain-text, an authenticator or tag that is appended to the plain-text before actually sending it. MACs decoding rules 
return, depending on the plain-text and the tag, a bit indicating when Bob must regard the message as authentic, 
and accepting it as coming from Alice, and when he must discard it. The basic requirement is that the tags, which 
are produced by the encoding rule, must be accepted as valid when the matching decoding rule is used on reception. 
When an authentication protocol fulfills this requisite it is said to provide perfect deterministic decoding. Wegman and 
Carter introduced several information-theoretic secure constructions for such schemes. Basically, their techniques 
use universal hash families as the coding set. To generate the tag, Alice uses a particular hash function, selected from 
the universal hash family by the secret key. This action compresses the plain-text to a smaller string of bits. The 
string of bits can be later encrypted using the Vernam cipher . This last step allows to re-use the encoding rules, 
since Eve cannot obtain any information about the particular hash function used by Alice and Bob. 

The possibility of employing quantum resources to obtain more efficient classical-message quantum authentication 
schemes is still an open issue. In p] the authors showed that, using quantum effects, the authentication of a binary 
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classical message is possible with a key of length shorter than the one required by classical schemes. However, it is 
not clear yet whether more efficient quantum techniques exist for longer messages. 

While the authentication of classical messages is a fundamental topic in classical communications networks, the 
analogous quantum problem, the authentication of quantum states, could also become important in future quantum 
information communication systems. Leung has addressed this question partially in ]lO| |. Her proposal is based on 
a modification of the private quantum channel ^. The authentication process requires a classical secret key, a 
quantum communications channel, and an authenticated two-way classical one. Another classical secret-key quantum 
authentication protocol, but without additional classical communication, has been proposed in This scheme uses 
stabilizer purity testing codes, and its error probability decreases exponentially with the length of the quantum tag. 
Rather surprisingly, the authors also showed that any protocol that guarantees unconditionally secure authenticity 
must encrypt the quantum plain-text almost perfectly. This fact contrasts with classical MACs, where encryption 
of the plain-text is not necessary for unconditional security. More recently, Gea-Banacloche has approached data 
authentication from an steganographic perspective, making use of standard quantum correcting code techniques. 

In this paper we analyse a special class of authentication schemes for quantum messages. In particular, we study 
those which use classical secret keys and coding sets composed of unitary operations. Our main goal is to find the 
minimal conditions that must be satisfied by any unitary coding set so as to make quantum authentication possible. 
We analyse the security of the scheme under two general attacks. In the first one, the unitary attack. Eve, who knows 
both the coding and decoding sets, tries to modify the cipher-text by means of a unitary operation. In the second, the 
forgery attack, Alice has not initiated the transmission yet (or it may have been blocked by Eve), and Eve attempts 
to prepare a new fake quantum message with the purpose of passing Bob's verification test. 

The paper is organized as follows. In Sec. II we describe general authentication schemes for quantum messages, and 
we introduce those which use unitary coding sets. We also present some notation used in the paper. Sec. HI analyzes 
the unitary attack, and Sec. IV focuses on the forgery attack. In Sec. V we discuss the restrictions that these two 
attacks impose upon both coding sets. Finally, we present our conclusions in Sec. VI. 

II. AUTHENTICATION OF QUANTUM MESSAGES 

Suppose Alice needs to send a certified quantum message to Bob. Her goal is to make Bob confident about the 
authenticity of the message and sender. If we consider an scenario where both participants share a quantum secret key 
(for example, a set of EPR pairs), and they have access to an authenticated classical channel, then the solution is quite 
simple: Alice can just use quantum teleportation Q to send the quantum plain-text. However, the reliable storage 
and manipulation of entangled quantum objects is not technologically available yet, so a more practical situation 
arises when the secret key shared by the two partners is classical. 

Analogously to the classical setting, quantum authentication with a classical secret key can be performed in three 
phases: 

1. Tagging: To certify her message (the plain-text), Alice appends to it a particular public-known quantum state 
that we shall call, following the standard classical notation, a tag. Specifically, we will assume that both message 
and tag quantum states belong, respectively, to the state spaces M (dim(A4) = M), and T (dim(T) = T). The 
space of tagged messages is defined, therefore, as £ = M (^T. Alice and Bob also openly agree in a particular 
splitting of the tag space T in the direct sum of two subspaces T = V© V^, where V is considered the subspace of 
vahd tags and the subspace of invalid tags. This splitting of T leads naturally to the direct sum £ — C^C-^, 
where C = M V will be the subspace of vahd messages (usually called the code space; dim(C) = C), and 

= Ai <S) V"*" will be the subspace of invalid messages (dim(C^) = D). The original tagged message has the 
general form pg = pM ® PT, with the plain-text quantum message and px any state in V. 

2. Encoding: After the tagging procedure has been completed, Alice, depending on the value of the n-bit key, fc, 
shared with Bob, performs an encoding rule on the tagged message. In principle, encoding (and decoding) rules 
could be trace- preserving completely positive maps (TPCP), but in this paper we will restrict ourselves to the 
case of unitary rules. Therefore, the encoding rule, U{k), is selected from the unitary coding set {U{Q), • • • , U{K— 
1)}, where K = 2^ and, without loss of generality, we set U{0) = I. If the tagged message is p£, then the state 
of the message Alice sends to Bob is given by 

P£{k)^U{k)p£UHk). (1) 

Thus, a tagged message encoded by Alice with U{k) will necessarily belong to Ck, the subspace of all the tagged 
messages transformed by U{k). 
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3. Verification: To verify the authenticity of the received message, Bob needs to check whether it belongs to Ck or 
not. In the latter case, he should regard the message as invalid and so discard it. One way in which Bob can 
make this check is performing the matching decoding rule U^{k) (from the decoding set {[/^(O), ■ ■ ■ ,1/'' {K — 1)}) 
on the received encoded tagged message, and then measure the tag portion to see whether the resulting tagged 
message belongs to C or to C-^. If it belongs to C, and no forgery on the encoded tagged message has taken 
place in transit, he could unambiguously recover the original plain-text, just tracing out the tag system. 

In the next two sections we shall analyse the minimal conditions that any unitary coding set must satisfy in order 
to make authentication possible. It should be clear from the outset that we are not looking for the optimal coding 
sets, defined as those which make the probability of failure of the protocol minimal. Therefore, our scheme will be 
secure if Eve can only break it in a probabilistic way. We shall study two general attacks. In the unitary attack 
we shall regard Eve capable of modifying the state in the channel by means of a unitary operation; in the case of 
forgery we shall assume that Eve can intercept the state travelling from Alice to Bob, discard it, and forge a new 
tagged message. In both cases we shall frequently use operators acting on the space £, and we shall be interested in 
describing how these operators act on the C and C'^ subspaces. If we define the orthogonal projection operators Pi 
and Po as the ones that, respectively, project a state from £ into C or C-*", an arbitrary operator can be written as 

A-£ — An + AiQ + Aoi + Aqq, (2) 

where Ajk ~ PjAgPk, with j,k ~ i,o. If the decomposition (|^) is used in operator expressions of the form X£ — 
Agp^A^^, the corresponding 'i-o' operators are related by the matrix equation 

( \ii Xio \ / ^ii -^io \ ( Pii Pio \ 

V Xoi Xoo y V Aot Aoo ) \ Poi Poo ) V 

where = PkA\Pj. 

III. THE UNITARY ATTACK 

Let us assume that Eve performs a unitary quantum operation F^, on the encoded tagged message in transit between 
Alice and Bob. This operation changes the state of the encoded message from psik) to F£p£{k)F^. Bob, ignorant 
about this malicious action, will perform his decoding operation on the encoded tagged message received, obtaining 
as the decoded tagged message the state 

plik) = U\k)F£P£{k)FlU{k) = Q{k)p£QHk), (4) 

where Q{k) = {k)F£U{k). Thus, Eve will be successful in her attack if, when the k key was used, pf (fc) e C. This 
condition can also be written in terms of the action of the Pi operator as 

P.p§ik)P,^pf{k). (5) 

Since Eve does not know either which key Alice and Bob used or the actual message sent, p£, the probability of her 
action being unnoticed is one if and only if 

pf(fc)GC, Vfc, VpfGC. (6) 
Using Eq. (^) in Eq. (^), one can rewrite (||) as 

Qo^ik) = 0, Vfc. (7) 

Given the unitarity of the Q{k) operators, Eq. implies that Qio{k) — 0, Vfc. In particular, for fc = 0, we have 
that Qoi{0) = Qio{0) = 0, which, since C/(0) = /, requires that Foi ~ Fio = 0. All these restrictions on F£ can be 
summarized in the following commutators: 
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[F£.P^] = 0, (8) 

[Fe,P,{k)] = 0, Vfc^O, (9) 

where the Pi{k) — U{k)PiW{k) are the projectors resuhing from the transformation of the Pi by the unitary operations 
U{k). The commutator (|^) requires Eve to use a bfock-diagonal unitary operator in her attack. The block structure 
of depends on how Ahce and Bob decided to spht £ into C and C^. This information is pubhc, so we shaU 
assume that Eve can always fulfill (||). But, can she always fulfill the K — \ commutators in (||)? The Pi{k) in these 
commutators can be written, making use of the 'i-o' decomposition, as 

Uu{k)uUk) Uu{k)Ul{k)\^( G,,{k) H{k)\ 

U^muUk) U^mulik) ) - \ HHk) Go.{k) )■ ^ 

Assuming the block-diagonal form for Fg, and using the notation introduced in (|l0|), the commutators in (|^) can be 
expressed in block form as: 

[Fu,Gu{k)] = 0, (11) 
[Foo,Go^{k)] = 0, (12) 
FiiH{k) - H{k)Foo, (13) 
FooH\k) = H\k)Fu, (14) 

Vfc 7^ 0. Therefore, Eve would be always successful in her attack if she could find two unitary operators Fa and Fqo 
obeying (|l|)-(|l. 

A. A simpler case: K = 2 

The problem posed by Eqs. (pl|)-(p^ is quite complex. In order to gain some insight into its possible solution, we 



shall begin studying the simpler case K = 2 (Alice and Bob share a key of just one bit). In this case, Eqs. (11)- (|14|) 
reduce to 

[Fu,Gu] = 0, (15) 

[Foo.Go^] - 0, (16) 

F,iH = HFoo, (17) 

FooH^ = H^Fu. (18) 

Since Gu and Got are Hermitian operators, and because one can always find an operator that commutes with an 
Hermitian operator , we could begin solving the equations above selecting the Fa that fulfills ( [Tsl ) or, alternatively, 
selecting the Foo that fulfills (p^). Then we could obtain Foo (or Fa) from (p7|). This last step, however, requires a 
previous discussion about the nonsingular character of H. First, note that H need not be square (it would be square if 
dim(C)=dim(C^); i.e. if C = D); also note that we do not know the rank of H. To "invert" H in these circumstances 
we have to apply the Singular- Value Decomposition Theorem for general matrices . Let us consider separately the 
cases of maximum and non maximum rank. 

1. The rank of H is maximum 

li G — D, then rank(i7) = C, det(iJ) ^ 0, and therefore H is nonsingular. li G D, we can use the Singular- Value 
Decomposition of H to show that: 

1. If C < I?, there exists an operator J such that HJ = Icxc- 

2. If C > D, there exists an operator J such that JH = Idxd- 



In both cases it can be shown that Eqs. ( |15D- (|lq) have a non-trivial solution for Fa and Foo- For example, if C < 
we could select a non-trivial Foo obeying (|16D , then Fa would be uniquely obtained from ( [l7| ) , and it is not difficult 
to show that they would also obey (0^ and (pT 
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2. The rank of H is not maximum 

Suppose rank(i?) = N < C < D. The Singular- Value Decomposition leads in this case to H — V'SW'' , where V 
and W are unitary matrices, and S is the diagonal matrix containing in its diagonal the singular values of H. Note 
that, since rank(if) < C, part of the singular values will be zero. Therefore, it is straightforward to see that one can 
find in this case a matrix J such that 



HJ 



Inxn 












(19) 



This would be the "inversibility" condition for H in this case. Although the algebra is a little bit more complicated 
now, also in this case one can show that Eqs. (p^-(18) have a non-trivial solution for Fa and Foo- The same 
conclusion can be reached if rank(if) = N and C > D. Note, however, that now the family of solutions is bigger than 
in the former case, because, given Foo, there is more than one Fa fulfilling (|l7|). 

In summary, we have shown that when K = 2 (Alice's and Bob's keys are one-bit long). Eve can always successfully 
manipulate Alice's message and pass Bob's verification test. Therefore, one-bit keys, independently of the length of 
the tag appended to the message and of the length of the message itself, cause the failure of the protocol. This result 
generalizes our conclusion in |^ to arbitrary message and tag spaces. 



B. K >2 



In the preceding Subsection we have seen that Eve can select a unitary quantum operation, Fg, such that conditions 
(pT|)-(p^ are satisfied for fc < 1. Let us see whether she can select a Fg obeying also (|ll|)-(|l^) Vfc > 1. Consider the 
first of the conditions, Eq. (11). This equation, for the case of the preceding Subsection (fc < 1), is [Fa, Gm(1)] = 0. 



Since Gu^l) is Hermitian, it can be written in diagonal form: 



/A^,(1) 



V 



(20) 



Ag(l) 



where the A[j(l) (r = 1,---,C) are the eigenvalues of Gii{l). If we denote the p,q element of Fa as aii{p,q), the 
condition [Fii,Gii{l)] ~ requires that 



AS(1)=A?,(1), Vp^g;p,g = l,---,C, 



(21) 



(22) 



Eq. (^ ) is a requirement on Alice and Bob, so they, in order to protect themselves from Eve's attack, can by design 
avoid it, just selecting Gii{l) with all its eigenvalues different. This can be done only in the case that C < D, because 
if C > D the unitarity of U{1) shows that at least C — D eigenvalues have to be equal to one. Thus, from now on we 
will impose C < D and consider separately the cases C — D and C < D. In both cases, however. Eve will have to 
choose Fs obeying (p2[), i.e. Fg must be diagonal in the same base in which Gii(l) is diagonal: 



F — 



V 



(23) 



where = 1 (r = 1, • • • , C). 
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1. The case C = D 

Let us see if the diagonal form of Fa is compatible with, for instance, the condition [F^^, 6*^^(2)] = 0. If we denote 

by gi^ (p, q) the q element of Gii{2), this commutator is zero when 

af, = aL Vp^q, (24) 

or 

gi')(p,g)=0, yp^q. (25) 

Again, Eq. ( |25| ) is a requirement on Alice and Bob, and they can, by design, avoid it. This means that Eve, in order to 
be successful in her attack, would have to fulfill (|24[). But this condition implies that Fa = ex.p{ia)Icxc, with a any 
angle. Since C — D and rank[i?(l)] is maximum (which depends only on Alice and Bob), F^o is uniquely determined 
by ( [TtI ) and must also have the form Foo = exp(iQ;)/cxc- In conclusion, Fs would be a module-one multiple of the 
identity operation, but this is the trivial solution (Eve does not modify the state in the channel). 

In summary, we have shown that if Alice and Bob select the splitting of f = C © C^, U{1) and U{2) such that 

1. dim(C) = dim(C-L) 

2. rank[iJ(l)] and rank[_ff(2)] are maximum, 

3. Gii{l) and Gii{2) have all their eigenvalues different, 

4. and Gu{l) and Gu{2) do not share any eigenvector, 

then Eve cannot, performing a unitary operation on the state in the channel, produce the failure of the protocol in a 
deterministic way. Thus two bits of key are sufficient to make the probability of Eve being unnoticed less than one. 

The four conditions above can be analysed from a geometric perspective. The first one says that half of the tag 
space is considered valid by Alice and Bob, which in fact is equivalent to having just one qubit of tag. In the second 
condition H{1) = Uii{l)Ul^{l) , so its rank is maximum and equal to C only if the rank of Uii{l) and Uoi{l) are also C. 
This means that Ci, the subspace of valid messages transformed by U{1), is such that no state in Ci has null projection 
over C nor C^. In other words, Ci is maximally spread over the original valid and invalid message subspaces, and the 
same holds for U{2). In the third condition, Gii{l) = t/ii(l)t//j(l), thus the basis where Gii{l) is diagonal represents 
a basis of C with the following property: its image under C/^(l), projected over C, is a C-dimensional set of orthogonal 
vectors, and the norm of each projected vector is given by the corresponding eigenvalue of Gu^l). If the eigenvalues 
are all different then this basis is unique up to some arbitrary global factors. Finally, the fourth condition says that 
the above bases for Gii{l) and Gii{2) are maximally spread one over the other. 



2. The case C < D 

li C < D Foo is not uniquely determined by (^) and the situation is more complex. From now on we shall assume 
that Z? is a multiple integer of G, so D = qC, q > 1. This is in fact the natural situation when using qubits, since 
both D and G are powers of two. Following the argument of the preceding section, in the bases of C and where 
Gii(l) and Goi(l) are respectively diagonal, from (^^, with A: = 1, we get: 



exp{ia)Ic 








Wi 



(26) 



with Wi an arbitrary unitary operator in a {q — 1)C dimensional space. But we may obtain further restrictions on 
Wi from (|l^)-(^^. First, note that [Foo,Goi{l)] — for all Wi. The reason is that, although Goi(l) is diagonal, 
Wi does not have to since Goi(l) has at least {q — 1)G zero eigenvalues (recall that it is a gG-dimensional hermitian 
operator and its maximum rank is G). Let us write the matrix representation of Goi(l) as 



0(g-l)C 



(27) 
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where Aoi(l) is the diagonal C-dimensional matrix containing the non-zero eigenvalues of G'oi(l), and 0(q_i)c is the 
zero, {q — 1) C-dimensional matrix. Now Alice and Bob, in order to choose a U{2) such that Goi(l) and Goi{2) do not 
share any eigenvector, would like to restrict Wi as much as possible. But, since both operators have {q — 1)C zero 
eigenvalues (i.e. dim (ker[G'oi(l)]) = dim (ker[Goi(2)]) = ((? — 1)^), this cannot be done. The reason is that the total 
space where Goi{k) acts has dimension qC, so dim {ker[G'oi(l)] H ker[Goi(2)]} > {q — 2)C. Thus, Goi(l) and Goi(2) 
share at least {q — 2)G eigenvectors. 

For simplicity, although this might not be the optimal situation, let us further assume that Alice and Bob choose 
U{2) such that Goi(l) and Goi(2) are diagonal in the same basis, but Goi{2) has its G non-zero eigenvalues shifted in 
the following way: 





( Oc 








Go. (2) = 





Ao.(2) 







I 





0(g-2)C 



(28) 



If the eigenvalues of Gii{2) are all different, the unitarity of U{2) makes the eigenvalues of Goi(2) to be also different 
(in fact, each pair sums up to 1). Then [i^oo: Goi(2)] = if and only if Wi has the following block diagonal form: 











W2 



(29) 



with f2(7 a unitary, diagonal, G-dimensional matrix, and 14^2 any unitary (g — 2)G-dimensional operator. Using the 
result above, together with Fa = ex-p{ia)Ic , in (O) or dlj) with k ~ 2, gives flc — exp(iQ;)/c, so we have: 





( exp(iQ!)/c 








p — 

^ GO 





exp(iQ;)/c 







I 





W2 



(30) 



Following the same line of reasoning, it is not difficult to see that, in order to make Fqo — e:xjp(ia)IqCj Alice and Bob 
need q+1 unitary encoding operators, C/(0), • • • , U{q) such that: 

1. rank[iJ(fc)] is maximum Vfc > 0; 

2. Gii{k) has all its eigenvalues different Vfc > 0; 

3. for at least two values of fc, say r, s 7^ 0, Gii{r) and Gu{s) do not share any eigenvector; 

4. and Vfc ^ fc', k,k' ^ 0, the range of Goi{k) and Goi{k') span disjoint, orthogonal, G-dimensional subspaces of 

In the particular case in which we have messages of m qubits, a tag of t qubits, and just a one-dimensional valid 
tag subspace, G = 2™ and Z) = (2* — 1)G, so q -I- 1 = 2*, and the number of bits of the classical key equals the number 
of tag qubits. 

IV. THE FORGERY ATTACK 

Assume now that Eve has the power to replace the tagged message in transit between Alice and Bob with a forged 
tagged message of her own, pE- From this tagged message, Bob will decode the state 



(fc) = U\k)pEU{k), 



(31) 



if the value of the key shared with Alice is k. The probability of Eve being undetected is one when Eq. (^) is satisfied, 
where (fc) = U\k)pEU{k). This condition can be restated as 



P,U\k)pEU{k)P, = uHk)pEU{k), Vfc. 



(32) 
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If wc rewrite this equation in terms of the 'i-o' decompositions of its operators, one finds that the A; = case requires 
P£; to be necessarily of the form 



and that, in the rest of the cases (Vfc ^ 0), Uj^{k)pii = 0, or, equivalently, 



Pu e n kerplik)]. (34) 

In order to make Eve's attack unsuccessful, Alice and Bob should choose the Uj^{k) such that f],.^Q ker[U^g{k)] = {0}. 
One possibility is that ker[Uj^{k)] = {0}, Vfc 0. This can be accomplished if the dimensions of the spaces C and C^, 
C and D, respectively, are such that C < D, since, in this case, Alice and Bob can always make the rank of Ujg{k) 
equal to C, VA: / 0. Geometrically, this condition says that no state in C has null projection over C-^ after it has been 
transformed by U^{k). In other words, the subspace Ck is different from C, Vfc > 0. 



V. DISCUSSION 



In the preceding sections we have shown the feasibility of quantum authentication schemes based on unitary coding 

sets. We have given the conditions that a particular family of imitary operations {U{k)}, k = 0, ■ ■ ■ , K — 1, has to 
fulfill in order to make, under unitary and forgery attacks. Eve's probability of success less than one. In the case of the 
unitary attack we have shown that log(g + 1) bits of classical key are enough when the ratio between the dimensions 
of the invalid and valid tag subspaces is q, independently of the number qubits of the original message. This result 
may seem surprising, but not too practical since one would expect the effectiveness of such a protocol to be very low. 
In fact, to quantitatively study the security of an authentication protocol based on this scheme, one should find an 
appropriate family {U{k)} and obtain lower bounds for P/ and P", the error probabilities under forgery and unitary 
attacks, respectively. 

In the case of the forgery attack, 



K-l ^ K-1 

^/ = ]f E [PiU{k)^PEU{k)\ =j^Y.^'£ [Pi{k)pE] , (35) 

k=0 fe=0 

with P(fc) = U{k)P^UHk) the projector over Cfe, and pE any state in £ selected by Eve. The above probability is 
bounded by the maximum eigenvalue of the hermitian operator Ylik=Q so Alice and Bob's goal is to minimize 

the maximum eigenvalue of this operator. For simplicity, assume the dimension of the total Hilbert space £ is an 
integer multiple of the dimension of the code subspace C, E = pC, p > 1. If Alice and Bob choose a family {U{k)} 
with K < p, such that the projectors {Pi{k)} are mutually orthogonal, then the maximum eigenvalue of J2k=o 
is minimized to one, and Pj < l/K. 

3\it unfortunately this family of encoding operators is clearly insecure against the unitary attack. The complete 
expression for P^, the probability of Eve being unnoticed when Alice prepared ps under the unitary attack is: 



K-l K-l 

^" = E \PiU\k)Feps{k)FlU{k)\ = E \Pi{k)Fspe{k)Fl 



fe=0 



/c=0 



(36) 



with p£{k) = U{k)p£U''{k). Because the subspaces Ck obtained after transforming C with the U{k) above are all 
orthogonal, disjoint subspaces of £, if Eve chooses a unitary operator Fs acting inside each subspace separately with 
the general form: 



K-l 
1=0 



(37) 
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then its action on p£{k) gives F£p£{k)F^ = Pi{k)F£p£{k)F^Pi{k), which is invariant under projection over Pi{k). 
Therefore, 



= 1. 



(38) 



k=t) 



Finding a family {U{k)} producing an acceptable bound for is not easy. One possible family, using the formalism 
of quantum stabilizer error correcting codes, has been given by Barnum |g] with '--^ (2 + 2m/t)/(2* + 1) for a key 
of length 2m + 0(i) bits. Intuitively, the nature of the conditions on the {[/(fc)} given in the preceding Section seems 
to indicate that P" would decrease with the overlapping between the subspaces Ck] however, that overlapping cannot 
be too big, because if, in the limiting case, the subspaces Ck are actually the same subspace, then the probability 
of failure under both types of attacks would be one. Specifically, in the forgery case, U{k)PiU\k) = Pi Vfc, and 

therefore P/ = J2k=o {PiPE) = 1 for any pE S C. In the case of the unitary attack, if Eve chooses Pf such that 
[P£,P,] =0 then. 



K-l K-1 

p^^kT. \p.Fsp£{k)Fi\ [p^P£m = 1, 



(39) 



fc=0 



where the last equality is obtained using the fact that if PE{k) G C, then PiPsi^k) — psi^k), Vfc. Thus we would be 
looking for an intermediate situation, in which the Ck are not orthogonal neither coincident C-dimensional subspaces 
inside £. But what family of {U{k)} is optimal remains an open problem. It might even be the case that no optimal 
strategy to handle at the same time the two types of attack can be found: Loosely speaking, if we represent P" and 
P/ against some type of measure of the overlapping between the subspaces Ck , then one would expect P/ to increase 
from its minimus value to one as the overlapping increases, and P" to have at least one minimus in an intermediate 
point between zero and total overlapping. But the two curves might not cross, or cross in different ways, making the 
decision on which is the optimal family of encoding operators not obvious. 



VI. CONCLUSION 



We have addressed the problem of how to authenticate quantum messages between two partners (Alice and Bob) 
connected by an ideal quantum communication channel. Any authentication process requires a previous secret between 
the communicating partners, and we have assumed that Alice and Bob share a classical secret key. Our authentication 
scheme uses a tagging procedure in the transmitting end, and unitary operations selected by the key (encoding and 
decoding rules), on both ends of the channel. In our feasibility analysis, failure can be caused by an undesired 
unitary manipulation of the information in transit between the partners, or by impersonation (forgery of a fake 
authentication message). We have shown the conditions that the sets of encoding and decoding rules must satisfy 
to make authentication possible. These conditions are better stated in terms of geometrical relations between the 
subspaces of valid tagged messages selected by each unitary rule. Specifically, to protect against forgery, we have 
shown that no pair of subspaces has to be coincident; in fact, the failure probability reaches its minimum, which is 
inverse in the key length, when the spaces are all disjoint and orthogonal. On the other hand, to protect against the 
unitary attack, the restrictions on the encoding rules are much more involved. Briefly, an intermediate situation, one 
in which the encoding subspaces are neither coincident nor disjoint, seems to be the desired setting. In particular, a 
key length of order D/C, the ratio between the dimension of the invalid and valid message subspaces, is enough. 

Many open questions related to the quantum authentication schemes analysed deserve further investigation. First, 
one would like to find the optimal family of encoding rules protecting against the unitary or even more general (those 
based on TPCP maps) attacks, and to give an explicit expression for the probability of failure in terms of the encoding 
rules employed. This may require a more practical definition of the probability of failure. For instance. Eve might, 
with high probability, transform the original message, but only in a way such that the fidelity between the original 
and the transformed state be still very high. It could also be the case that she could strongly transform, without being 
noticed, messages inside a particular subspace of the valid message space, and be noticed if she transforms messages 
outside it. All these situations would have to be considered by Alice and Bob in any practical implementation of 
the protocol. Another important practical issue is whether an optimal family of encoding rules against both types of 
attacks exists. 
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